[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    Re: [Emerging-Sigs] SIG: Cerber Ransomware
From:       Darien Huss <dhuss () emergingthreats ! net>
Date:       2016-10-27 12:54:11
Message-ID: CAKcCgkWuiJhiiLiO4gzdLBMYbLrQM9Xw-OigYpw8Ha4PFDwz_A () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/related)]

[Attachment #4 (multipart/alternative)]


Thanks Kevin, looks like we cover this in PRO with 2816763 so we'll get
that moved over today!

Regards,
Darien

On Thu, Oct 27, 2016 at 8:13 AM, Kevin Ross <kevross33@googlemail.com>
wrote:

> alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
> W32/Cerber.Ransomware Initial CnC Beacon"; dsize:10; content:"hi"; depth:2;
> pcre:"/^hi[a-f0-9]{8}$/"; classtype:trojan-activity; sid:156611; rev:1;)
>
> Kind Regards,
> Kevin Ross
>
> This is what it looks like
> [image: Inline images 2]
>
> [image: Inline images 1]
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>

[Attachment #7 (text/html)]

<div dir="ltr"><div><div>Thanks Kevin, looks like we cover this in PRO with 2816763 \
so we&#39;ll get that moved over \
today!<br><br></div>Regards,<br></div>Darien<br></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 27, 2016 at 8:13 AM, \
Kevin Ross <span dir="ltr">&lt;<a href="mailto:kevross33@googlemail.com" \
target="_blank">kevross33@googlemail.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">alert udp $HOME_NET any -&gt; $EXTERNAL_NET \
1024: (msg:&quot;ET TROJAN W32/Cerber.Ransomware Initial CnC Beacon&quot;; dsize:10; \
content:&quot;hi&quot;; depth:2; pcre:&quot;/^hi[a-f0-9]{8}$/&quot;; \
classtype:trojan-activity; sid:156611; rev:1;)<br><div><br></div><div>Kind \
Regards,</div><div>Kevin Ross</div><div><br></div><div>This is what it looks \
like</div><div><img src="cid:ii_158060eb467a5e01" alt="Inline images 2" \
style="margin-right:25px"><br></div><div><br></div><div><img \
src="cid:ii_158060d15b3b7cea" alt="Inline images 1" style="margin-right:25px" \
height="623" width="1155"><br></div></div> \
<br>______________________________<wbr>_________________<br> Emerging-sigs mailing \
list<br> <a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.<wbr>emergingthreats.net</a><br>
 <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>sigs</a><br>
 <br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" rel="noreferrer" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br></div>

--001a11427750371e97053fd83e53--


["image.png" (image/png)]
["image.png" (image/png)]

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic